Alias: M-7 2017

Seven trends impacting Information Security Officers of Small Institutions!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . .

Welcome to the Magnificent Seven, my annual predictive article, affectionately dubbed “M7,” about the seven trends in bank technology that will impact Information Security Officers.  My intention is to help you organize your thoughts for the upcoming year.

Let me jump right into the article by highlighting one such trend, continuing for the third year in a row – information overload.  This year we’re continuing our complaint about information overload, as there have been six documents published by the FFIEC since the Cybersecurity Assessment Tool. And if that wasn’t enough, individual regulators are publishing their own guidance.

Thus, to aid my disheveled Clients (as Yule Brenner would?), we’re getting out ahead of the M-7 article schedule this year, shooting to publish our predictions as early as Thanksgiving Day.  To help establish the enormity of this action, let’s remind you that last year’s M-7 was published in February 2016.

Dan’s New Leaf should help us BREAK through the information overload.  Heck, our slogan is “Fight the Noise.”  So, if you wish to avoid what you’ve read in the past, let me posit how this article will be organized:

• An explanation of the M-7, and how it’s based in awareness.
• Track Record – our M-7 for 2016 and how we think we did.
• The Original 23 — the list of trends that were considered for the M-7.
• The Magnificent Seven – the top seven trends impacting information security officers of small institutions in 2017.

Why we call this the M-7

The Magnificent Seven is a 1960 western, based on The Seven Samurai.  In it, a Mexican village is at the mercy of Calvera, the leader of a band of outlaws.  Incapable of standing up to Calvera, the village hired seven American gunslingers to protect them during Calvera’s raids.

Over time, the professional gunmen . . . played by the greatest western actors of the time . . . realized that they would NEVER be able to truly protect all the citizens of the community, unless they taught the villagers to defend themselves.

And so you must always realize when digesting our M-7 that we place a much greater priority on “awareness” than most organizations.  We believe the best defense against cyber attacks is not technology, but education.

And no, Dan Hadaway does not always refer to himself in the third person, or talk about what he has done as “we.”  You see, I involve my whole team in helping us decide what the top seven trends are.  That way I’ve cast the net over waters of the hardcore techies, those working with Information Security Officers regularly, those doing technical audits of small banks, those reviewing the policies and procedures of said banks, and then of course me, the guy who likes to make philosophy of it all!

And like the Magnificent Seven, we learned a long time ago that true security comes from doing-it-yourself.  We have always found awareness training to be “9/11’s of the battle.” 

The 2016 Track Record

It’s looking like we kicked butt in our 2016 predictions.  You can say we got all of them at least partially right.  However, in the spirit of “maturity versus yes/no assessments,” we are using “maturity levels” . . . honoring the
Magnificent Seven Theme:

1. Explosion! Blew it up
   with a cannon!
2. Rat-a-tat! Took ‘em out
   with a Gatling gun!
3. Bam! Hit this nail right on the head!
4. Pop! Got this partially right!
5. Wave the White Flag

And in our review of the 2016 M-7, we’ve decided we have Three Explosions, One Rat-a-Tats, One Bam, and Two Pops!  Not once did we have to wave the white flag this year!  (Compare that to 2015, where we had four right and three wrong.)

So, last year, after starting out with twelve and going up to fifteen and cutting and trimming, we ended up with the following 2016 trend predictions:

1. Awareness In All Directions:In 2016, we doubled down on our top pick for 2015.  In 2015, we had called this trend “The End of Procrastination.”  We considered calling it “We Become Aware” or “We become aware that we need to be aware.”  I personally liked, “We’ve Woken to the Notion!”   But what this means is that EVERYBODY is becoming aware not only of the threats and vulnerabilities, the likelihoods and impacts, but also the controls.  And most importantly, they are becoming aware that the number one control is THEM.

Our 2017 Take:  Explosion! Blew it up with a cannon!  We’ve been invited to speak to the board of EVERY AUDIT CLIENT we have, and the rest is history.  By making our boards aware of the CEO/Board Overview from the Cybersecurity Assessment Tool, we have created a security culture in our organizations.  Awareness is no longer something we bolt on . . . . it’s baked in now!  We’re including it in the 2017 trend list again, and rolling Incident Response Team training in with it!

2. Training Your Incident Response Team:Since it’s not a matter of if, but of when, let’s “prepare to fail,” as I heard Lee Wetherington put it in the IBA’s Cybersecurity Conference last year.  This will include more formalized agendas, incident response tabletop tests, and yes, even some functional testing!

Our 2017 Take:  Explosion! Blew it up with a cannon!  We’ve been moderating incident response test after incident response test.  Our webinars about incident response training have been very well attended.  Most examiners are adding “incident response tests” to their checklists.  Meanwhile, we have seen strong interest in our upcoming movie, “Vigilize This – Training for the Incident Response Team!”

3. Who gets attacked:In 2016 we doubled down on one that didn’t prove true in 2015.  We still believe that who gets attacked will continue to evolve. Right now the bad guys are focused on the unregulated industries and commercial accounts using ACH and Wire Transfer over the internet (Corporate Account Takeovers.)  I fear that sometime in the near future an attack on K-12 schools will be the buzz of the talking heads.  But as we control this risk, criminals will start to focus more and more on our noncommercial consumers.  We hear reports of pretext calls meant to populate databases that could help attackers sort the rich from the poor.  The controls we’re using on ACH and Wire Transfer may need to be extended to Billpay.  This may or may not completely materialize in 2016, but by the end of the year we could be having discussions about implementing stronger authentication and detect and response for more than those currently identified as our “high risk customers.”  Another way of putting this . . . in 2016 we may be considering adding “Average Daily Balance > X Using Billpay” to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.

Our 2017 Take:  Pop! Got this one partially right!  All we need to say is “wikileaks!”  Hillary Clinton would say this one was an explosion.  Still, our vision was an attack on schools, and we (fortunately) have not seen this materialize yet.

4. Adoption of Security Information Event Management Systems: On June 30th, 2015, if you listened closely, you may have heard cheers coming from your MSSP’s corporate headquarters.  While we’ve always maintained that SIEM (and primarily the event log management components of a typical SIEM) should be considered a basic control.  But we never sold it that way, because we didn’t feel the FFIEC Guidance spelled it out as clearly as we would have wished.  However, the Cybersecurity Assessment Tool has created the compliance need for a SIEM (what infotex has always called ELM).  We think the CAT will now cause auditors, regulators, and examiners to start waking up to the truth that banks are not really watching their event logs, and your MSSP is not correlating network traffic to event logs.

Note:  We may be proved wrong on this yet again.  We developed our first SIEM in 2005, and have been patiently waiting for this trend to actually occur!  Still, in conferences at the end of last year, we all heard both auditors and regulators describe SIEM as a “basic control.”  The NIST Cybersecurity Standard sees it this way as well.

Our 2017 Take:  Rat-a-tat! Took ‘em out with a Gatling Gun!  We have experienced unprecedented growth in SIEM sales throughout 2016.  What we envisioned in 2005 is finally a “standard control” for most small institutions.

5. Continued Adoption of Do It Yourself Banking:We believe that on-line applications, mobile banking and the use of social media for traditional banking processes such as applications and problem-solving . . . and all the other forces keeping your customers from entering your branch . . . are only going to continue.  The reason we include it in a list like this is because as an ISO you need to help your management realize this.  The additional costs of information security should be offset by the notion that Branchless Banking is no longer a phenomenon, it is the reality of banking.  It’s the branch that is the phenomenon . . . .

Our 2017 Take:  Bam!. Hit this nail right on the head.  Last year we predicted consumers would continue to take advantage of technologies that allow them to conduct their banking outside of branch offices in increasing numbers, and the Federal Reserve’s annual report on Consumers and Mobile Financial Services have backed that up: 43% of mobile phone users with a bank account report using mobile banking services in the past 12 months, which is up from 39 and 33 percent in 2014 and 2013, respectively.

As acceptance of mobile banking and bill payments approaches 50% I think it’s safe to say that it’s the reality of banking, but that there’s enough distrust of the technology that physical branches are going to remain for a while—something like 80 percent of those who said they didn’t use mobile banking cited security as a concern.

6. Lawyers Continue to Join the Incident Response Team:We are seeing more and more attorneys recognize the billing potential of information security in general and, incident management more specifically.  But this is a good thing.  Most of the risk, once an incident HAS occurred, is legal risk.  And you should consider adding the expense of having your bank’s attorney join your incident response test.  The two-way education in advance of a panic is worth the money.

Our 2017 Take:  Pop! We got this partially right.  Imagine my excitement when, about a week after we published the 2016 article, I tested an incident response team that had an attorney on it!!  But that was anecdotal, as it was the last team I encountered that actually staffed a lawyer. Still, I feel we can say we got this one half right, because I do see institution after institution running their incident response documents past their attorneys . . . proactively in 2016, whereas in earlier years this was done during an actual incident.

7. The Encryption of Everything:We’re sort of combining two trends here.  We believe the implications that bad guys can encrypt is being vetted in the mainstream media.  But while we’ve always been adamant that data in motion should be encrypted, we’re also seeing more and more emphasis on encryption of data at rest.  And not just mobile devices.

Our 2017 Take:  Explosion!  We blew this up with a cannon!  In 2015 we predicted seeing continued emphasis on encryption, and 2016 has borne this out—and like we thought, it wasn’t just the good guys who have embraced the trend! Trend Micro released a security roundup in August that estimated the number of encryption-backed ransomware attacks in the first half of 2016 had surpassed 2015’s total by almost 175% to become one of the most predominant threats online.

Meanwhile, can you say “San Bernidino” and “Apple?”  Yes, that happened in 2016.

On the legitimate side of things, a survey by security firm Sophos found the majority of IT Directors across seven business sectors already used encryption “to some degree,” with nearly 70% going on to say they planned to expand their use of the technology within two years. There’s still room to grow here though, with that same study showing less than a third of businesses always encrypted mobile devices such as smartphones and laptops.

The Original Twenty-Two

In keeping with tradition established last year, we’re going to just give you a list of the original ideas that we analyzed when we came up with this year’s list.  Boy, this year we ended up having a large list to start with . . . 22 in all.  But that’s because we included what we looked at in 2016.

1. Awareness in All Directions
2. Incident Response Team Training
3. Who Gets Attacked – Schools, Infrastructure
4. SIEM Adoption Continues
5. Continued Adoption of Do-It-Yourself Banking
6. Lawyers on the Incident Response Team
7. Encryption of Everything Continues
8. The Management Booklet Update
9. Encryption by Bad Guys
10. EMV Chip Implications
11. Two Factor Authentication Everywhere – The Elimination of Passwords in Banking?
12. Outsourcing Information Security – Patch Management, Vulnerability Management, VISOs and More.
13. Return of Breach News Parade
14. Examiners Gain Comfort with Cats (alias, The CAT FAQ)
15. Two Important Guidance Updates (Management Booklet and Information Security Booklet) and the Risk of More
16. Information Overload
17. Everything 3.0 – Circling back around to mobile, branchless banking, infrastructure design, virtualization, etc.
18. Healthcare and Others Step Up, Causing a Shortage of Information Security Services
19. CATOs aren’t over, and turn into Personal Account Take Overs
20. The Worldwide CyberWar (between USA, Russia, China, Iran) Continues
21. The Internet Of Things Sneaks into Banks
22. The VISO Concept Continues

The Magnificent Seven 2017

(Drum Roll Please)

So we trimmed and cut, and the seven top trends to consider for 2016 are:

1. Information Overload: As we said at the beginning of the article, this is the most impactful trend of 2017.  One of the likeliest risks you face right now is the fact that the Cybersecurity Assessment Tool, released in a mix of six new guidance publications by the FFIEC, was only the beginning.  Six documents have been released since then, and they are all very good releases.  And this does not include documents released by your individual regulators.  These have, in the past, usually been regurgitations of new FFIEC guidance.  However, this doesn’t seem to be the case.  The OCC is doubling down on their “MRA for Everywhere Not At Baseline” threat while the FDIC released its InTREx audit work program.  The Fed is hammering banks for not tying audits to risk assessments while the NCUA is starting to demand general controls audits.  To avoid overloading you with information about information overload, we’ve provided the details of this problem in a sidebar.

2. Continued Adoption of Security Information Event Management Systems:  This is our third year of maintaining that the adoption of SIEM is huge.  Thanks to the Cybersecurity Assessment Tool, event log management practices are now considered basic controls.  The rest of the world is starting to catch up, so lock in on your pricing now . . . we think it may be going up!

3. The Outsourcing of Information Security: The board of directors now being on board, is getting bored with the details of our struggles managing the security part of the IT Governance Process.  They’re now encouraging us to pick up on the idea we had long since abandoned: the outsourcing of vulnerability scanning, vulnerability management, and patch management.  (On top of, of course, malware analysis, forensics investigation, intrusion detection, intrusion prevention, event log management, network monitoring, and threat intelligence!)  And this doesn’t even get to a big upswing in a brand new trend – the Virtual Information Security Officer Concept, which is just starting to take off. We’re seeing banks as large as 500 million looking into the VISO concept, and many are finding it productive!

4. Encryption by Bad Guys:  The encryption of everything proved to be a true trend in 2016, and we think this will continue in 2017.  But we want to highlight one small part of the trend we successfully predicted for 2016 . . . that the bad guys are delivering negative payloads in encrypted format.  It’s a weakness in the very systems we provide, and we are running out of time when it comes to finding viable solutions.  Look for the cost of IPS/IDS sensors to increase as “SSL Inspection” becomes a trend.  We think, and hope, this will be a “white flag” or maybe a “pop” in our 2018 evaluation of our 2017 predictions.  But all the same, we need to start preparation!

5. The Internet of Things Sneaks into Banking:  If you’re saying the internet of things doesn’t impact your bank take a look at your risk. There’s a chance that the watch you’re wearing . . . or possibly the Fitbit or Garmin or some other wearable . . . is syncing to the internet through your network.  And while the IoT may not represent maximum risk to us in 2017, we better start learning about the phenomenon, starting with the notion that most of these IoT devices are not updatable, meaning that if you wanted to keep your health records secure when you tried on that Fitbit, you probably have a device which has long been “sunset” from a security vulnerability management perspective.

6. Everything 3.0:  This is a trend-definition that I snuck into the mix to cover several trends that were NOT making it into the list.  It symbolizes my belief that one of the big things a lot of my Clients are planning for 2017 is a “return to the basics.”  They want to circle back around to more simplified iterations of systems developed over the last decade or so.  The last time I saw this was in 2009, probably out of the fact that, heading into 2010, everybody was updating their “business plan” and thus their technology strategy.  But what I envision with this is a return to Mobile Security, Mobile Payments, Mobile Banking, Internet Banking Products, Corporate Account Takeover Response, Detect and Respond, Network Monitoring Controls, Infrastructure Design, and Branchless banking.  Yes, a strong 2016 trend was the continuation of “Do It Yourself Banking,” and Everything 3.0 is banking’s response to that trend.

7. Awareness In All Directions: We think our number one trend from 2016 will continue well past 2017.  That’s because we have indeed “Woken to the Notion!” We are aware that we need to be aware, and awareness training will continue to be an important focus in 2017, starting on management, our incident response teams and ending with our Billpay customers (because though Continued CATOs didn’t make it into M-7, they are still going to be a trend for some people!).  And, of course, if we want to remain successful, we will continue to improve our messaging to our Board of Directors.  Plus our technical team needs to learn the new guidance, as well as compliance officers and auditors.  This will be the third year this trend has made it into the Magnificent Seven.

So there you have it.  Let’s face it, the community needs a new Magnificent Seven to teach information security best practices to our employees, partners and customers.  Apparently the new movie released in September won’t cut it.  I haven’t seen it, and because I haven’t heard rave reviews I’m not terribly concerned by that.  I will, however, watch the original over the Thanksgiving weekend!

Oh, and if you haven’t seen the original movie, know that the Village eventually wins the battle with Calvera. It was a happy ending.

I guess that might be where the metaphor breaks down.  I don’t believe there will ever be an ending to the movie, “IT Governance.”

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”